问题
There are three default security roles in CloudKit:
- World
- Authenticated
- Creator
And three permissions:
- Create
- Read
- Write
How do these security roles and permissions work?
Here are examples of some of the questions I would hope get answered by an explanation of security roles:
- What do the three roles mean? The first two seem obvious, but the last one seems less so. E.g. does Creator refer to the creator of the table, or the creator of a record?
- Where would the deletion permission fall under? Write?
- Can security roles be applied to individual records? (E.g. I want a user to have access to only a subset of the records in the InstantMessages table: the ones they send, and the ones they receive. Can something of this nature be done via security roles?)
- Are permissions inherited? (E.g. Does the creator get all permissions granted from creator, authenticated, and world?)
- Are permissions purely additive? Or can I create a custom role that will remove privileges rather than add them? (E.g. in order to create a "Banned User" security role.)
- How do I set the role on a user? Can I set a default role for every user that is created? Can I change a user's role programmatically?
- How do I create new security roles? Can I create/update them programmatically?
回答1:
1) How do these security roles and permissions work? You set them on the dashboard in the Development environment.
2) What do the three roles mean? The first two seem obvious, but the last one seems less so. E.g. does Creator refer to the creator of the table, or the creator of a record? - Creator of the record (and that means all devices that access CloudKit with the same iCloud Account)
3) Where would the deletion permission fall under? Write? YES
4) Can security roles be applied to individual records? NO
5) (E.g. I want a user to have access to only a subset of the records in the InstantMessages table: the ones they send, and the ones they receive. Can something of this nature be done via security roles?) What does 'access' mean? A user can only read things that your app allows them to read and that they have read permission. A user can only create or write (and delete) records that your app lets them create or modify (and delete) and that they have create or write permission - it takes both.
6) Are permissions inherited? (E.g. Does the creator get all permissions granted from creator, authenticated, and world?) Roles are subsets of the other - a creator is a subset of authenticated. authenticated is a subset of world.
7) Are permissions....programmatically? Permissions go to the broad class "creator" "authenticated" "world" so you can't set permission user-by-user (except that the user who creates a record is the only creator).
But key to all of this is to remember that it takes your apps code to grant create/read/write to a record AND the particular user must have that permission. So you can do anything you want in code to allow anyone to do anything - provided you granted "Authenticated" the right to "write"
来源:https://stackoverflow.com/questions/31369181/how-do-the-cloudkit-security-roles-and-permissions-work